New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.
The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children's toymaker for both unnecessarily collecting kids' personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.
As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children's Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.
The 2015 hack on VTech's online services led to the theft of sensitive customer information about millions of children and parents.
The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners' Ken Munro.
The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is "required to implement a comprehensive data security program, which will be subject to independent audits for 20 years" as well as "misrepresenting its security and privacy practices".
In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations. It said that the "criminal cyber attack on VTech databases should not be compared with the physical dismantling of one of our products" since they are "fundamentally different acts" before stating that it takes security in general seriously.
While it is not appropriate to share the details, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers' data following the cyber attack in 2015.
We can assure you that we take the commitment on cyber security we gave the FTC last week very seriously indeed. VTech is committed to and will progressively execute data security improvements so that customers of VTech products and services can rest assured the data they entrust with VTech is well protected.
Munro wasn't impressed by what he described as a "carefully caged non-answer". "It doesn't deal with the hardware security issues we raised," he added. ®